diff options
Diffstat (limited to 'src/mailman_pgp/pgp/__init__.py')
| -rw-r--r-- | src/mailman_pgp/pgp/__init__.py | 60 |
1 files changed, 40 insertions, 20 deletions
diff --git a/src/mailman_pgp/pgp/__init__.py b/src/mailman_pgp/pgp/__init__.py index 31b61b3..b41c8a1 100644 --- a/src/mailman_pgp/pgp/__init__.py +++ b/src/mailman_pgp/pgp/__init__.py @@ -24,25 +24,29 @@ from os.path import join from mailman.config import config as mailman_config from mailman.utilities.string import expand from pgpy import PGPKeyring -from pgpy.constants import PubKeyAlgorithm +from pgpy.constants import PubKeyAlgorithm, EllipticCurveOID from public import public from mailman_pgp.config import config KEYDIR_CONFIG_PATHS = ['list_keydir', 'user_keydir', 'archive_keydir'] -KEYPAIR_CONFIG_VARIABLES = ['autogenerate', 'key_type', 'key_length', - 'subkey_type', 'subkey_length'] +KEYPAIR_CONFIG_VARIABLES = ['autogenerate', 'primary_key', 'sub_key'] -# The main key needs to support signing. -KEYPAIR_KEY_TYPE_VALID = ['RSA', 'DSA', 'ECDSA'] -# The subkey needs to support encryption. -KEYPAIR_SUBKEY_TYPE_VALID = ['RSA', 'ECDH'] KEYPAIR_TYPE_MAP = { 'RSA': PubKeyAlgorithm.RSAEncryptOrSign, 'DSA': PubKeyAlgorithm.DSA, 'ECDSA': PubKeyAlgorithm.ECDSA, 'ECDH': PubKeyAlgorithm.ECDH } +ECC_OID_MAP = { + 'nistp256': EllipticCurveOID.NIST_P256, + 'nistp384': EllipticCurveOID.NIST_P384, + 'nistp521': EllipticCurveOID.NIST_P521, + 'brainpoolP256r1': EllipticCurveOID.Brainpool_P256, + 'brainpoolP384r1': EllipticCurveOID.Brainpool_P384, + 'brainpoolP512r1': EllipticCurveOID.Brainpool_P512, + 'secp256k1': EllipticCurveOID.SECP256K1 +} @public @@ -56,7 +60,7 @@ class PGP: Load [keypairs] and [keydirs] config sections. Expand paths in them. """ # Get all the [keypairs] config variables. - self.keypair_config = dict( + self._keypair_config = dict( (k, config.get('keypairs', k)) for k in KEYPAIR_CONFIG_VARIABLES) @@ -66,25 +70,41 @@ class PGP: expand(config.get('keydirs', k), None, mailman_config.paths)) for k in KEYDIR_CONFIG_PATHS) + def _parse_key_directive(self, value): + key_type, key_length = value.split(':') + key_type = key_type.upper() + key_length = key_length.lower() + + if key_type not in KEYPAIR_TYPE_MAP: + raise ValueError('Invalid key type: {}.'.format(key_type)) + + out_type = KEYPAIR_TYPE_MAP[key_type] + if key_type in ('ECDSA', 'ECDH'): + if key_length not in ECC_OID_MAP: + raise ValueError('Invalid key length: {}.'.format(key_length)) + out_length = ECC_OID_MAP[key_length] + else: + out_length = int(key_length) + return (out_type, out_length) + def _validate_config(self): """ Validate [keypairs] and [keydirs] config sections. And create keydirs if necessary. """ # Validate keypair config. - key_type = self.keypair_config['key_type'].upper() - if key_type not in KEYPAIR_KEY_TYPE_VALID: - raise ValueError('Invalid key_type. {}'.format(key_type)) - self.keypair_config['key_type'] = KEYPAIR_TYPE_MAP[key_type] - self.keypair_config['key_length'] = int( - self.keypair_config['key_length']) + self.primary_key_args = self._parse_key_directive( + self._keypair_config['primary_key']) + if not self.primary_key_args[0].can_sign: + raise ValueError( + 'Invalid primary key type: {}.'.format( + self.primary_key_args[0])) - subkey_type = self.keypair_config['subkey_type'].upper() - if subkey_type not in KEYPAIR_SUBKEY_TYPE_VALID: - raise ValueError('Invalid subkey_type. {}'.format(subkey_type)) - self.keypair_config['subkey_type'] = KEYPAIR_TYPE_MAP[subkey_type] - self.keypair_config['subkey_length'] = int( - self.keypair_config['subkey_length']) + self.sub_key_args = self._parse_key_directive( + self._keypair_config['sub_key']) + if not self.sub_key_args[0].can_encrypt: + raise ValueError( + 'Invalid sub key type: {}.'.format(self.sub_key_args[0])) # Make sure the keydir paths are directories and exist. for keydir in self.keydir_config.values(): |